diff --git a/README.md b/README.md index 931ac1c..6319fa6 100644 --- a/README.md +++ b/README.md @@ -166,6 +166,74 @@ jobs: token: ${{ secrets.GH_TOKEN_FOR_UPDATES }} ``` +## With GPG commit signing + +It's possible for the bot to produce GPG signed commits. Associating a GPG public key to a github user account is not required but it is necessary if you want the signed commits to appear as verified in Github. This can be a compliance requirement in some cases. + +You can follow [Github's guide on creating and/or adding a new GPG key to an user account](https://docs.github.com/en/authentication/managing-commit-signature-verification/adding-a-new-gpg-key-to-your-github-account). Using a specific github user account for the bot can be a good security measure to dissociate this bot's actions and commits from your personal github account. + +For the bot to produce signed commits, you will have to provide the GPG private keys to this action's input parameters. You can safely do that with [Github secrets as explained here](https://github.com/crazy-max/ghaction-import-gpg#prerequisites). + +When using commit signing, the commit author name and email for the commits produced by this bot would correspond to the ones associated to the GPG Public Key. + +You can find an example of how to using this action with commit signing below: + +```yaml +name: update-flake-lock +on: + workflow_dispatch: # allows manual triggering + schedule: + - cron: '0 0 * * 1,4' # Run twice a week + +jobs: + lockfile: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Install Nix + uses: cachix/install-nix-action@v16 + - name: Update flake.lock + uses: DeterminateSystems/update-flake-lock@vX + with: + sign-commits: true + gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} + gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }} +``` + +## Custom PR Body + +By default the generated PR body is set to be the following template: + +````handlebars +Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action. + +``` +{{ env.GIT_COMMIT_MESSAGE }} +``` + +### Running GitHub Actions on this PR + +GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action. + +To run GitHub Actions workflows on this PR, run: + +```sh +git branch -D update_flake_lock_action +git fetch origin +git checkout update_flake_lock_action +git commit --amend --no-edit +git push origin update_flake_lock_action --force +``` +```` + +However you can customize it, with variable interpolation performed with [Handlebars](https://handlebarsjs.com/). This allows you to customize the template with the following variables: +- env.GIT_AUTHOR_NAME +- env.GIT_AUTHOR_EMAIL +- env.GIT_COMMITTER_NAME +- env.GIT_COMMITTER_EMAIL +- env.GIT_COMMIT_MESSAGE + ## Contributing Feel free to send a PR or open an issue if you find something functions unexpectedly! Please make sure to test your changes and update any related documentation before submitting your PR. diff --git a/action.yml b/action.yml index 0a60068..e51bd5c 100644 --- a/action.yml +++ b/action.yml @@ -21,10 +21,46 @@ inputs: description: 'The title of the PR to be created' required: false default: "flake.lock: Update" + pr-body: + description: 'The body of the PR to be created' + required: false + default: | + Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action. + + ``` + {{ env.GIT_COMMIT_MESSAGE }} + ``` + + ### Running GitHub Actions on this PR + + GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action. + + To run GitHub Actions workflows on this PR, run: + + ```sh + git branch -D update_flake_lock_action + git fetch origin + git checkout update_flake_lock_action + git commit --amend --no-edit + git push origin update_flake_lock_action --force + ``` + pr-labels: description: 'A comma or newline separated list of labels to set on the Pull Request to be created' required: false default: '' + sign-commits: + description: 'Set to true if the action should sign the commit with GPG' + required: false + default: 'false' + gpg-private-key: + description: 'GPG Private Key with which to sign the commits in the PR to be created' + required: false + default: '' + gpg-passphrase: + description: 'GPG Private Key Passphrase for the GPG Private Key with which to sign the commits in the PR to be created' + required: false + default: '' outputs: pull-request-number: description: 'The number of the opened pull request' @@ -32,49 +68,82 @@ outputs: runs: using: "composite" steps: - - run: $GITHUB_ACTION_PATH/update-flake-lock.sh + - name: Import bot's GPG key for signing commits + if: ${{ inputs.sign-commits == 'true' }} + id: import-gpg + uses: crazy-max/ghaction-import-gpg@v4 + with: + gpg_private_key: ${{ inputs.gpg-private-key }} + passphrase: ${{ inputs.gpg-passphrase }} + git_config_global: true + git_user_signingkey: true + git_commit_gpgsign: true + - name: Set environment variables (signed commits) + if: ${{ inputs.sign-commits == 'true' }} shell: bash env: - GIT_AUTHOR_NAME: github-actions[bot] - GIT_AUTHOR_EMAIL: - GIT_COMMITTER_NAME: github-actions[bot] - GIT_COMMITTER_EMAIL: + GIT_AUTHOR_NAME: ${{ steps.import-gpg.outputs.name }} + GIT_AUTHOR_EMAIL: ${{ steps.import-gpg.outputs.email }} + GIT_COMMITTER_NAME: ${{ steps.import-gpg.outputs.name }} + GIT_COMMITTER_EMAIL: ${{ steps.import-gpg.outputs.email }} + TARGETS: ${{ inputs.inputs }} + run: | + echo "GIT_AUTHOR_NAME=$GIT_AUTHOR_NAME" >> $GITHUB_ENV + echo "GIT_AUTHOR_EMAIL=<$GIT_AUTHOR_EMAIL>" >> $GITHUB_ENV + echo "GIT_COMMITTER_NAME=$GIT_COMMITTER_NAME" >> $GITHUB_ENV + echo "GIT_COMMITTER_EMAIL=<$GIT_COMMITTER_EMAIL>" >> $GITHUB_ENV + - name: Set environment variables (unsigned commits) + if: ${{ inputs.sign-commits != 'true' }} + shell: bash + run: | + echo "GIT_AUTHOR_NAME=github-actions[bot]" >> $GITHUB_ENV + echo "GIT_AUTHOR_EMAIL=" >> $GITHUB_ENV + echo "GIT_COMMITTER_NAME=github-actions[bot]" >> $GITHUB_ENV + echo "GIT_COMMITTER_EMAIL=" >> $GITHUB_ENV + - name: Run update-flake-lock.sh + run: $GITHUB_ACTION_PATH/update-flake-lock.sh + shell: bash + env: + GIT_AUTHOR_NAME: ${{ env.GIT_AUTHOR_NAME }} + GIT_AUTHOR_EMAIL: ${{ env.GIT_AUTHOR_EMAIL }} + GIT_COMMITTER_NAME: ${{ env.GIT_COMMITTER_NAME }} + GIT_COMMITTER_EMAIL: ${{ env.GIT_COMMITTER_EMAIL }} TARGETS: ${{ inputs.inputs }} COMMIT_MSG: ${{ inputs.commit-msg }} - - run: | - content="$(git log --format=%b -n 1)" - content="${content//'%'/'%25'}" - content="${content//$'\n'/'%0A'}" - content="${content//$'\r'/'%0D'}" - echo "::set-output name=msg::$content" + - name: Save PR Body as file + uses: DamianReeves/write-file-action@v1.1 + with: + path: pr_body.template + contents: ${{ inputs.pr-body }} + env: {} + - name: Set additional env variables (GIT_COMMIT_MESSAGE) shell: bash - id: commit_message + run: | + GIT_COMMIT_MESSAGE="$(git log --format=%b -n 1)" + GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//'%'/'%25'}" + GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\n'/'%0A'}" + GIT_COMMIT_MESSAGE="${GIT_COMMIT_MESSAGE//$'\r'/'%0D'}" + echo "GIT_COMMIT_MESSAGE=$GIT_COMMIT_MESSAGE" >> $GITHUB_ENV + echo "GIT_COMMIT_MESSAGE is: ${GIT_COMMIT_MESSAGE}" + - name: Interpolate PR Body + uses: pedrolamas/handlebars-action@v2.0.0 + with: + files: 'pr_body.template' + output-filename: 'pr_body.txt' + - name: Read pr_body.txt + id: pr_body + uses: andstor/file-reader-action@v1 + with: + path: "pr_body.txt" - name: Create PR id: create-pr uses: peter-evans/create-pull-request@v3 with: branch: ${{ inputs.branch }} delete-branch: true + committer: ${{ env.GIT_COMMITTER_NAME }} ${{ env.GIT_COMMITTER_EMAIL }} + author: ${{ env.GIT_AUTHOR_NAME }} ${{ env.GIT_AUTHOR_EMAIL }} title: ${{ inputs.pr-title }} token: ${{ inputs.token }} labels: ${{ inputs.pr-labels }} - body: | - Automated changes by the [update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock) GitHub Action. - - ``` - ${{ steps.commit_message.outputs.msg }} - ``` - - ### Running GitHub Actions on this PR - - GitHub Actions will not run workflows on pull requests which are opened by a GitHub Action. - - To run GitHub Actions workflows on this PR, run: - - ```sh - git branch -D update_flake_lock_action - git fetch origin - git checkout update_flake_lock_action - git commit --amend --no-edit - git push origin update_flake_lock_action --force - ``` + body: ${{ steps.pr_body.outputs.contents }}